Rights required to run AD cmdlets

Surprisingly, you can be a normal domain user to run most of them – not an admin at all. You got it right: not a domain admin, and you don’t need to install them on a DC – any workstation would do as long as you have PowerShell and AD cmdlets installed on the computer.

The cmdlets are just trying to execute your commands against AD and if your rights are sufficient – the command will get executed. If not – you’ll get an error.

This means that I won’t for example be able to go and change our Domain Admins group or our CEO’s account, but I can indeed perform any Get-* cmdlets: Get-QADUser, Get-QADGroup, Get-QADComputer, Get-QADGroupMembership – they all just work!

What’s more I can even modify objects as long as I have AD permissions for them. For example, at Quest we are all supposed to be able to modify our personal details (phone number, etc.) and there even is an intranet page for that – but I could never remember the address. PowerShell solves the issue. Here’s me modifying my personal account and adding my blog address as a comment to be shown in Outlook:

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.